If you’re familiar with the film The NeverEnding Story, then you know that the goal of the hero, Atreyu, was to reach the boundaries of Fantasia. He’s disappointed to learn that Fantasia has no boundaries because it’s the land of human fantasy.
In some ways, the land of Fantasia is like network security. Where once there existed a fortress around the perimeter of a land that needed to be protected, those boundaries have expanded, leaving security professionals scratching their heads trying to discern how best to protect the enterprise against invaders.
The idea that time and resources should be invested in either network security or application security is misguided as both are equally as important to securing the enterprise.
Yet, according to a recent Forrester Research report on the state of network security, the largest portion of the security technology spending budget in 2015 was on network security with an expected increase to this budgetary category in the years to come.
“Looking ahead, 41% of decision-makers expect to increase spending on network security at least 5% from 2015 to 2016, with 9% of security decision-makers planning to increase network security spending more than 10%,” the report said.
While application security has been around for a while, IT professionals remain entrenched in the traditions that are at the root of network security. The result has often been a budgetary either-or decision when it comes to investing in security tools.
The reality is that just like Fantastia, the network has no boundaries.
While it’s easy to dismiss The NeverEnding Story as a children’s movie, there is much that the adult world and the cybersecurity world can learn from children. In a Jan. 7, 2016 Marketplace Education story on NPR, “Kids start honing their cybersecurity skills early,” one fourth grader, James Estrella offered some sage advice.
“Estrella said he already knows more about computers than his parents. To have good security you need to get rid of bugs in your code, he said. Oh, and to make strong passwords. Otherwise, he pointed out, you could get hacked.”
In reference to the NPR story, Cigital Internal CTO John Steven said that even these young children have realized it’s not about the network.
Over the last two decades people have historically taken an outside-in approach with a focus on perimeter security and firewalls. “There is no perimeter,” Steven said, “We carve holes in our networks to do business.”
“Organizations that think they are going to stay in the legacy environment fail to see that they don’t have limits to their network. The perimeter isn’t there,” Steven said. At home we buy devices to have them talk to each other, and the enterprise environment is no different.
Sign up for CIO Asia eNewsletters.